This post is part of a series of posts categorized as “Wiki” that contain basic how-to information. The intent is to create a reference repository for myself, but I’m not selfish so if anyone else can also benefit from it then I’m happy to share the knowledge!
- OS: Linux/Windows
- Description: Identify compression, crypto functionality
Helpful Options: -p list the running processes and their modules -P PID use the process/module identified by its pid or part of name/path it accepts also offset and the optionally size in hex -d FILE dump the process memory (like -P) in FILE -e consider the input file as an executable (PE/ELF), useful to show the rva addresses instead of the file offsets -F as above but returns the address of the first instruction that points to the found signature, for example where the AES Td0 table is used, something like an automatic "Find references" of Ollydbg